---
title: "Enrichment"
---

Keep workflows support **enrichment**, a powerful feature that allows you to enhance alerts with additional data, making them more actionable and meaningful. Enrichments add custom fields or modify existing ones in an alert directly from your workflow.

---

## Why Enrich Alerts?

- **Provide Context:** Add critical information, such as related customer data or ticket IDs.
- **Enable Automation:** Use enriched fields in subsequent actions for dynamic processing.
- **Improve Visibility:** Surface essential metadata for better decision-making.

---

## How to Enrich Alerts

### Using the `enrich_alert` Directive

The `enrich_alert` directive is used in actions to add or update fields in the alert. You specify a list of key-value pairs where:
- `key` is the field name to add or update.
- `value` is the data to assign to the field. It can be a static value or dynamically derived from steps or other parts of the workflow.

### Example Workflow with Enrichment

```yaml
workflow:
  id: enrich-alert-example
  description: Demonstrates enriching alerts
  triggers:
    - type: alert
  steps:
    - name: get-customer-details
      provider:
        type: mysql
        config: "{{ providers.mysql-prod }}"
        with:
          query: "SELECT * FROM customers WHERE customer_id = '{{ alert.customer_id }}'"
          single_row: true
  actions:
    - name: enrich-alert-with-customer-data
      provider:
        type: mock
        with:
          enrich_alert:
            - key: customer_name
              value: "{{ steps.get-customer-details.results.name }}"
            - key: customer_tier
              value: "{{ steps.get-customer-details.results.tier }}"
```

In this example:
- The `get-customer-details` step fetches customer data based on the alert.
- The `enrich_alert` directive adds `customer_name` and `customer_tier` to the alert.

---


## Enrichment Syntax

### Key-Value Pairs
Each enrichment is defined as a key-value pair:

```yaml
enrich_alert:
  - key: field_name
    value: field_value

```

- **Static Values:** Use static strings or numbers for straightforward enrichments:
```yaml
- key: alert_source
  value: "Monitoring System"
```

-- **Dynamic Values:** Use values derived from steps, actions, or the alert itself:
```yaml
- key: severity_level
  value: "{{ alert.severity }}"
```

### Conditional Enrichment

You can combine enrichment with conditions to enrich alerts dynamically:

```yaml
actions:
  - name: enrich-critical-alert
    if: "{{ alert.severity == 'critical' }}"
    provider:
      type: mock
      with:
        enrich_alert:
          - key: priority
            value: high
```

## Advanced Use Cases


### Enrich Alerts with Results from Actions
Enrichments can use results from actions, allowing dynamic updates based on previous steps:
```yaml
enrich_alert:
  - key: ticket_id
    value: "{{ actions.create-ticket.results.ticket_id }}"
  - key: ticket_url
    value: "{{ actions.create-ticket.results.ticket_url }}"

```

## Enrichment Workflow Example

This example demonstrates how to enrich an alert with ticket details from ServiceNow:

```yaml
workflow:
  id: servicenow-ticket-enrichment
  triggers:
    - type: alert
  steps:
    - name: fetch-alert-details
      provider:
        type: keep
        with:
          filter: "alert_id == '{{ alert.id }}'"
  actions:
    - name: create-servicenow-ticket
      provider:
        type: servicenow
        config: "{{ providers.servicenow }}"
        with:
          table_name: INCIDENT
          payload:
            short_description: "Alert: {{ alert.name }}"
            description: "{{ alert.description }}"
      enrich_alert:
        - key: ticket_id
          value: "{{ results.sys_id }}"
        - key: ticket_url
          value: "{{ results.link }}"

```
